Tariffs of the cyber ransomware group LockBit
The ransom amount is from 0.1% to 10% of the ransomware victim’s annual income, the discount is no more than 50%
Original of this material
© securitylab.ru11/20/2023, LockBit reforms: the group decided to introduce strict rules for ransomware partners
The LockBit extortion group has decided to radically change its approach to negotiations with victims. Leaders are concerned about low payouts from companies. One of the reasons is inconsistency in the actions of affiliates.
There is a perception within LockBit that less experienced affiliates are unable to extract even minimal ransoms from victims and offer discounts too often. The group’s leaders recorded cases where the required amount was underestimated by up to 90%.
In addition, incident responders monitor the group’s communications and use the resulting data against the hackers themselves. This occurs when inexperienced negotiators in the process of communicating with the victim unwittingly reveal important information about their activities.
Before the new policy took effect in October, there were no clear strategies or guidelines for the negotiations. Affiliates acted solely at their own discretion.
In this regard, LockBit has developed special instructions defining the minimum ransom amount and the maximum allowable amount of discounts.
According to data collected analytical company Analyst1LockBit conducted a survey among its members in September, giving them the opportunity to vote on potential rule changes.
The survey offered six options to choose from:
1. Leave everything as it is. Affiliates set their own rules without restrictions, as has always been the case.
2. Set a minimum redemption amount depending on the company’s annual income, for example, at 3%. And also prohibit discounts above 50%. Thus, if the company’s revenue is $100 million, the initial amount would be $3 million and the final payout should not be less than $1.5 million.
3. Do not set a fixed minimum ransom – it will depend on the damage caused to the victim. At the same time, the discount amount will also be limited to 50%. For example, if the amount sought is $1 million, the minimum allowable payment must be at least $500,000.
4. Prohibit any payments less than the amount for which the victim is insured against cyber attacks.
5. Prohibit any payments less than 50% of the amount for which the victim is insured against cyber attacks.
6. Other suggestions.
LockBit ultimately established two rules that govern all negotiations starting October 1st.
The first concerns the size of the payouts and how affiliates should calculate the initial amount based on the annual income of the attacked company.
Income up to $100 million – buyback should be from 3 to 10%.
Income up to $1 billion – buyback should be between 0.5 and 5%.
Revenue over $1 billion – buyback should be between 0.1 and 3%.
The guide states that while the ultimate strategy is at the discretion of the partner, the guidelines should be followed “in typical ransomware use cases.”
Affiliates, for example, can adjust the amount if they are unable to destroy the victim’s data backups.
The second rule concerns discounts – it was decided to set a hard maximum of 50%.
“As of October 1, 2023, it is strictly prohibited to offer discounts of more than 50% of the originally requested amount in correspondence with the attacked company,” reads the message that LockBit sent to partners and provided to Analyst1.
habr.com, 08/10/2023, “LockBit Green – a new version of a dangerous encryptor attacks companies around the world”: LockBit is a cybercriminal group known for its activities in the field of cyber attacks on organizations and companies. It specializes in using ransomware to encrypt data and demand a ransom to unlock it. LockBit was first spotted in 2019, and since then the group has become one of the leading players in the cybercrime sector. Many agree that it was formed in Russia (*country sponsor of terrorism). Criminals use a two-step extortion strategy in which they first gain unauthorized access to a company’s systems and networks, then encrypt the data and demand a ransom in exchange for decryption. They are also known for threatening to release confidential data if a company refuses to pay a ransom. This puts additional pressure on the victim and encourages payment of the ransom.
LockBit is constantly evolving and improving its attack methods to evade detection and penetrate secure networks. They actively look for vulnerabilities in security systems, use social engineering and specialized tools to achieve their goals of obtaining the coveted ransom. In addition to its notoriety, LockBit is also one of the most active and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. In October, security company Dragos estimated that in the second and third quarters of 2022, LockBit malware was used in 33% of ransomware attacks on industrial organizations and 35% of attacks on infrastructure. — Insert K.ru
RBC News Agency, 11/10/2023, “A cyber attack on the world’s largest bank disrupted trading in US bonds”: According to the US Cybersecurity and Infrastructure Security Agency (CISA), Lockbit has attacked 1,700 US organizations since 2020. Washington suspects at least three Russians of involvement in attacks using Lockbit malware. As part of the investigation, 20-year-old Ruslan Astamirov has already been arrested in the States; 33-year-old has been detained in Canada and is awaiting extradition to the United States. Mikhail Vasiliev, Mikhail Matveev is wanted. For information about the latter, the State Department promised a reward of up to $10 million. – Box K.ru